Authentication
How requests authenticate against Strimz, and how to manage keys + scopes.
The Strimz API has two clients with very different needs: the dashboard, which runs in a merchant's browser, and your server-side code. Each has its own authentication scheme.
Dashboard sessions (Privy access tokens)
When a merchant logs in to the dashboard, Privy handles the auth flow (email, wallet, or social login). The dashboard then sends Privy's access token along with every API request:
The Strimz API verifies the token with Privy's server-side library, finds
the merchant by privyUserId, and attaches them to the request. The very
first time a new merchant logs in, you'll see a merchant_not_synced
error. The dashboard handles this automatically by calling
POST /v1/auth/sync to create the merchant row, then retrying the
original request.
You usually don't need to think about any of this. If you're building a custom admin tool, the browser SDK handles the token round-trip for you.
SDK requests (API keys)
Every server-side integration uses a Strimz API key:
Keys come in two kinds and two modes:
| Kind | Mode | Prefix | Use |
|---|---|---|---|
| Secret | Test | sk_test_ | server-side, test environment |
| Secret | Live | sk_live_ | server-side, production |
| Publishable | Test | pk_test_ | browser, test environment |
| Publishable | Live | pk_live_ | browser, production |
Secret keys must never reach the browser. If GitGuardian or our
own scanner spots one in a public source, Strimz rotates it
automatically. You get an email and the old key starts returning
401s.
Publishable keys are scoped to read-only methods and the create-session endpoint, so they're safe in the browser. The browser SDK uses them so your server doesn't have to round-trip every checkout intent.
Scopes
Every secret key has a scope list. When you issue a new key from the dashboard, you tick the actions it can take. The API enforces the list on every request. If your key has subscriptions_read but tries to call POST /v1/subscriptions/{id}/cancel, you'll get a permission_denied error.
Available scopes (underscore-separated, alphabetical):
The dashboard offers preset scope bundles ("read-only", "checkout-only", "full") so you don't have to tick eighteen boxes for every key. You can always issue a more permissive key later and revoke the narrow one.
Live-mode eligibility
You can't issue a live-mode key the moment you sign up. Live-mode unlocks once you've completed:
- Email verification. Privy verifies your email address.
- Two-factor authentication. Enabled in your Privy account settings.
- Business onboarding. The self-attested form in the dashboard (business name, sector, country, payout address).
The dashboard checks GET /v1/merchants/me/live-mode-eligibility,
which returns structured reasons so the UI can point you at the
right step. There is no manual review queue on the basic plan. The
key unlocks the moment all three checks pass.
Rotating a key
Revoke and re-issue at any time. The old key starts returning
authentication_error immediately. Strimz never hard-deletes a key;
it stays in your audit log as revoked so you can prove later when
it stopped working.
If a key is exposed in a public repo, contact security. Strimz auto-revokes it and audits usage from the leak window.
